diff options
| author | James Yonan <james@openvpn.net> | 2010-10-24 09:12:47 +0000 |
|---|---|---|
| committer | James Yonan <james@openvpn.net> | 2010-10-24 09:12:47 +0000 |
| commit | 3cf9dd88fd84108eccfcce0ebf44e00f9481cd82 (patch) | |
| tree | 03264d8f2741babc01a8ab2bbe9a8d2b546f3147 /ssl.c | |
| parent | Fixed initialization bug in route_list_add_default_gateway (diff) | |
| download | openvpn-3cf9dd88fd84108eccfcce0ebf44e00f9481cd82.tar.xz | |
Implement challenge/response authentication support in client mode,
where credentials are entered from stdin. This capability is
compiled when ENABLE_CLIENT_CR is defined in syshead.h (enabled
by default).
Challenge/response support was previously implemented for creds
that are queried via the management interface. In this case,
the challenge message will be returned as a custom
client-reason-text string (see management-notes.txt for more
info) on auth failure.
Also, see the comments in misc.c above get_auth_challenge()
for info on the OpenVPN challenge/response protocol.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6568 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to '')
| -rw-r--r-- | ssl.c | 27 |
1 files changed, 27 insertions, 0 deletions
@@ -286,6 +286,10 @@ pem_password_callback (char *buf, int size, int rwflag, void *u) static bool auth_user_pass_enabled; /* GLOBAL */ static struct user_pass auth_user_pass; /* GLOBAL */ +#ifdef ENABLE_CLIENT_CR +static char *auth_challenge; /* GLOBAL */ +#endif + void auth_user_pass_setup (const char *auth_file) { @@ -294,6 +298,8 @@ auth_user_pass_setup (const char *auth_file) { #if AUTO_USERID get_user_pass_auto_userid (&auth_user_pass, auth_file); +#elif defined(ENABLE_CLIENT_CR) + get_user_pass_cr (&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE, auth_challenge); #else get_user_pass (&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE); #endif @@ -321,8 +327,29 @@ ssl_purge_auth (void) #endif purge_user_pass (&passbuf, true); purge_user_pass (&auth_user_pass, true); +#ifdef ENABLE_CLIENT_CR + ssl_purge_auth_challenge(); +#endif +} + +#ifdef ENABLE_CLIENT_CR + +void +ssl_purge_auth_challenge (void) +{ + free (auth_challenge); + auth_challenge = NULL; } +void +ssl_put_auth_challenge (const char *cr_str) +{ + ssl_purge_auth_challenge(); + auth_challenge = string_alloc(cr_str, NULL); +} + +#endif + /* * OpenSSL callback to get a temporary RSA key, mostly * used for export ciphers. |